How feasible is it to brute force sessions?

I'm currently using CodeIgniter database sessions, which does not utilize native PHP sessions - session cookie encryption and user agent matching is turned on.

Say I set the session expiration to 4 months, would somebody be able to brute force their way through session ids? Not just to take over sessions but also mass deleting things off accounts, cause general mayhem, etc (CI's CSRF protection is turned on)

I'd like to give most users a long lasting session id where anonymous users are given most of the functionality of a registered user, like favorite things - similar to StackOverflow.

Codeigniter Sessions DO NOT utilize naitive php sessions (whether database or otherwise), as such you can turn on session encryption using the encryption key provided in your config.php file which will help with your security concerns...

If your encryption key is long and complex (I just type gibberish for my CI encryption keys) then no, it's not Likely brute forcable with today's technology I would say. If your key is a dictionary word and or words, then yes it could be likely to happen in 4 months.

Unless your site is massively popular, I don't think a hacker would waste his time hacking your site. There is always someone bigger and better than you hackers will target first.